12-31-2008 03:50 AM - edited 03-04-2019 03:17 AM
HI all,
im using Cisco 877 (c870-advipservicesk9-mz.124-2.T2) at a location
this location has a (last mile) radio bridge based internet connection (ethernet port)
i made 2 vlans on the 877
Step 1 : Vlan database
vlan 2
vlan 3
exit
Step 2 : int vlan 2
10.204.100.1 255.255.255.224
ip nat inside
int vlan 3
124.29.12x.2 255.255.255.252
ip nat outside
Step 3 : Int Fastethernet 0
switchport access vlan 2
Int fastethernet 3
switchport access vlan 3
vlan 2 connects the LAN users via Fastethernet0
vlan 3 connects to the internet device via Fastethernet 3
Then made NAT rule
ip nat inside source list 100 interface vlan3 overload
ACL 100
access-list 100 permit ip 10.204.100.0 0.0.0.31 any
Default Route
ip route 0.0.0.0 0.0.0.0 125.29.12x.1
now this config works on an old 2611 with 2 real etehrnet ports
my workstation 10.204.100.2 can connect to the internet just fine with 2611
but i cant seem to have it work with the new 877
any idea where im going wrong ..
i know its gota be a vlan config problem or vlan limitation .. cause the nat works fine with the other router..
plz help
12-31-2008 09:15 AM
Is the default route you entered here a typo? it is not a part of the network you have defined on VLAN 3
01-01-2009 05:04 AM
it was a typo..
the funny thing is that i installed a 837 (which has 2 etherrnets eth2 mapped on fastethernet4 and ethernet1 mapped on fastethernet 1,2,3)
and it seems to work fine...
877 is giving problems with natting with 2 vlans defined as per my first post..
any resolution ?????????
cisco i need help..
01-01-2009 07:41 AM
I had a similar issue a while back with overloading to virtual interfaces but I forget the exact details now.
I found that instead of overloading to the interface if I created a NAT pool with the one external address in and overloaded to the NAT pool then it worked.
Worth a shot.
01-01-2009 11:13 AM
Zaid
I have a suggestion to change your NAT configuration. Since your NAT rule is only checking the source address you do not really need an extended access list in the NAT. I suggest changing the access list from extended to standard.
So the config would look something like this:
ip nat inside source list 10 interface vlan3 overload
access-list 10 permit ip 10.204.100.0 0.0.0.31
Give it a try and let us know if it helps.
HTH
Rick
01-02-2009 12:10 AM
Hi Rick,
did that as well but doesnt seem to work ..
could it be an ISP issue ??
really gotten me confised now..
01-02-2009 05:09 AM
Zaid
One way to check on possible issues is to attempt to ping some Internet resources from the router itself. Can you ping www.cisco.com from the router?
HTH
Rick
01-02-2009 07:28 AM
I would try to change your nat statement to a physical interface (Fa3) instead of the vlan.
HTH,
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: